Defense+ file integrity detection

[Guest]

[deleiro]

Thanks, good sugestion - i guess this works for the installations case (removing the executables). Do i see the executables for which i defined policys in the protected files area?. I still believe thou, that  my sugestion (1) is needed. There will be cases when a malware/virus/worm will break in via some system process buffer overrun or w/e and can modify exe's for which i have defined rules w/o notification.

It depends how confident are the devs about D+ capability to protect system and other processes from such threats. It's always good to have second line of defense like hash-check every start of rule enabled exe. But if this will be paid with more clumsy Comdo and burdened system I personally prefer to stay like now.

Just my 1 cent.

[gpnx]

egemem:
I just did this test with VirtualPC, comodo 3.0.25.378, winxp:
I have notepad2.exe (copy of notepad.exe) in c:\temp
I run it (notepad2.exe), it ask me for accessing the disk, monitor, kb, etc...i allow all.
I have this breakout2.exe , which i downloaded from matousec.com (spellcheck) and i put it in the same "c:\temp" direcotory..
Now, i rename notepad2.exe to notepad2.exe.bak and i rename breakout2.exe to notepad2.exe (no warnings at any of these steps)
Now i run notepad2.exe (which is the breakout2.exe) and it runs w/o any questions asked and uses the notepad2.exe policy and does it malware job (in this case it changes my desktop).

How to protect agains this , which settings i need to use.

This started all this post about need to check that the executable being run is the original one for which policy is being defined.

[deleiro]

egemem:
I just did this test with VirtualPC, comodo 3.0.25.378, winxp:
I have notepad2.exe (copy of notepad.exe) in c:\temp
I run it (notepad2.exe), it ask me for accessing the disk, monitor, kb, etc...i allow all.
I have this breakout2.exe , which i downloaded from matousec.com (spellcheck) and i put it in the same "c:\temp" direcotory..
..

As far as I understood you were allowed to rename breakout like notepad because Comodo knows you are human. If malware wants to rename itself like trusted application Comodo will interfere

[gpnx]

As far as I understood you were allowed to rename breakout like notepad because Comodo knows you are human. If malware wants to rename itself like trusted application Comodo will interfere

Well, the renaming happened via explorer.exe..what if its get hacked? Does comodo monitors "rename" action?
What if the executable is residing on removable device (which can be modified outside the current machine that comodo monitors)?

[egemen]

egemem:
I just did this test with VirtualPC, comodo 3.0.25.378, winxp:
I have notepad2.exe (copy of notepad.exe) in c:\temp
I run it (notepad2.exe), it ask me for accessing the disk, monitor, kb, etc...i allow all.
I have this breakout2.exe , which i downloaded from matousec.com (spellcheck) and i put it in the same "c:\temp" direcotory..
Now, i rename notepad2.exe to notepad2.exe.bak and i rename breakout2.exe to notepad2.exe (no warnings at any of these steps)
Now i run notepad2.exe (which is the breakout2.exe) and it runs w/o any questions asked and uses the notepad2.exe policy and does it malware job (in this case it changes my desktop).

How to protect agains this , which settings i need to use.

This started all this post about need to check that the executable being run is the original one for which policy is being defined.

It is because you are doing all these manually and CFP is configured to allow these by default. Go to computer security policy and remove the entry for %windir%\explorer.exe to see how CFP would catch a virus (assuming explorer.exe is a virus here). Alsotry to use paranoid mode to see as many popups as you can.

[deleiro]

Well, the renaming happened via explorer.exe..what if its get hacked? Does comodo monitors "rename" action?

Explorer is also with a rule so it's protected from any tampering with it. Yes I think only "read" is not monitored.

[gpnx]

It is because you are doing all these manually and CFP is configured to allow these by default. Go to computer security policy and remove the entry for %windir%\explorer.exe to see how CFP would catch a virus (assuming explorer.exe is a virus here). Alsotry to use paranoid mode to see as many popups as you can.

Well, the renaming happened via explorer.exe..what if its get hacked? Does comodo monitors "rename" action?
What if the executable is residing on removable device (which can be modified outside the current machine that comodo monitors).

If i take explorer.exe as you sugested, then i will have too many popups... explorer is part of the system. as many other processes. what if some of them gets hacked? for example, hackers takes over the system via (browers b/o, iis b/o or w/e) and uses explorer to modify system files... all the policy will still work with these modified files.

Also, i thought putting a file in "my protected files" won't allow even trusted/save apps to modify them.

[gpnx]

Defend+ in paranoid mode.
i copyied explorer.exe to c:\temp and ran it. couple of popus, which i alloweed. then i used it to rename some exe's. No popups asking for permission. I checked the network policies and i see an entry for the "c:\temp\explorer.exe" , but everything is on "ask" (default?). why no popups when renaming an .exe file ( protected by default).

[psych1610]

Again. It seems to me you're doing it. Did you remove %windir%explorer.exe as suggested?

[Vettetech]

From my knowledge there is no way malware could do what your doing. In order for malware to run you would have had to let it run by allowing it via a D+ alert.

[gpnx]

The problem is why when i ran that copy of the explorer.exe it was alloweed to rename existing exe's w/o questions.
Also, again, when a file is in my protected files group, can truested/system apps modify it w/o notification?

[ailef]

even if there's no crc file check to see if your exe is the same as usual,
some activity needs to run to change your exe file so D+ will alert u about this.
so to check integrity file can be added but as D+ will alert you if something want to change your exe, anyway u're protected but more protection is always better.
we never know what will happen and if something will not be able to bypass D+ to modify some exe without any alert. but the integrity check will tell that the file is not the same as it was last u used it.
don't know what think comodo coders about including integrity check but D+ is able to block a malware that wants to modify a file so u're protected.
now maybe some exploit is able to break into D+ to modify a file u allowed in rules...
anyway D+ is the best security tool i know and for the moment it's not possible to load something into memory that will change a file without a D+ alert.
there's no popup when u rename the file but when u launch it what's happening?
doesn't D+ alert u about this renamed file when it tries to start?
i tried to rename iexplore.exe in vista but i got a message that i need permission to do that and i can't rename it.
it's a vista protection. I tried to rename another prog into xp pro sp3 that is allowed in D+, when i start the renamed i got a D+ alert as it's exactly the same file except the name.
ezcddax.exe starts but ezcddax2.exe popup a D+ alert.
so even if u can rename a file as the new name is not in D+, u can't launch it without allowing it into D+.
the only possibility is some code able to bypass D+ to inject code into a file allowed and keep the same name.
in this case the modified file will start without any alert.
about monitoring rename file, u'll have to allow the code that will rename a file into D+ or maybe there's some exploit able to rename a file without a D+ alert but with a maybe u do nothing.

[Kyle]

Gpnx! Please read what the other members are saying! It's not going to get much more clearer than that, whats happening is YOU are modifying a program\file using windows explorer, for a malware to modify a program file it would have to get access to modify.

[Vettetech]

I have never been hacked ever. Nor have have ever known anyone to get hacked.

[panic]

Also, again, when a file is in my protected files group, can truested/system apps modify it w/o notification?

Yes, but why would they?

Ask yourself this, under what circumstances would a legitimate safe trusted application rename another safe trusted application? Other than by deliberate, conscious user intervention, I can't think of one (doesn't mean  it doesn't occur, just that I can't think of why it would).

If it were malware attempting to use a trusted application (like explorer.exe) to rename a known trusted  application, before explorer.exe could do that, you would have received an alert saying "XYZ.EXE is attempting to access explorer.exe in memory".

THIS is your clue that somethings not right.

THIS is where you can prevent the trusted application getting renamed by explorer.exe.

If, on the other hand, the malware attempted to directly manipulate the trusted application, you would have received an alert accordingly.

Hope this helps,
Ewen :-)

[Tags:]